By Jérôme Sandrini
Security solutions are fragmented in their approach to protecting the enterprise. There are too many point solutions focused on a single task that fail to address businesses’ overall security health. Therefore, it’s easy to understand why many organizations can’t see the forest for the trees when it comes to best addressing potential cyber attacks.
Managed Security Service Providers (MSSPs), remain a sensible business option to secure the modern digital enterprise due to cybersecurity’s complexity, cost, the value at stake, and the substantial risk of digital catastrophe. MSSPs manage some or all security services—perhaps, managing networks and gateways for a customer who then concentrates scarce resources on endpoints. Or vice versa. This “slice and dice,” non-integrated approach to security is inefficient to say the least and is often driven more by business interests than security best practice.
Over time, the MSSP market has become complex with an array of offerings, each defined in different ways by competitor providers. But as threats have shifted from the ILoveYou virus to more consequential perils, so has the need to adopt advanced security services.
The question then becomes, how does a company evolve from typical reactionary practices that have unfortunately become the norm to a prescriptive approach that stays ahead of the modern-day hacker?
Companies require cutting-edge detection and response techniques. They need a true, holistic approach to security, including the latest technologies such as analytics. That’s where Managed Detection and Response (MDR) comes into play.
The Effectiveness of MDR
For all the complexities of security, the main goal is not hard to understand—aid businesses in improving the average time to detect and respond to cyber threats. This is fundamentally what MDR is all about. Of course, it’s a lot simpler to say than to do. To achieve an effective MDR service, the elements including analytics, threat detection, response tied to workflow, Security Information and Event Management (SIEM), and vulnerability management are recommended.
In cybersecurity, analytics provides benefits and is complementary to traditional signature-based detection. An intrusion or breach results in anomalous activity—whether by an endpoint, a process, a network device or a person. Machines excel at detecting anomalies, especially when those machines have had time to train on data.
Along with “response,” threat detection is fundamental to MDR. It must go beyond endpoints to include broader detection capabilities, including networks and IaaS and SaaS applications.
The “R” or “response” in MDR is at least as important as the “D.” Response to threats must be efficient and effective. Response comes in a variety of forms including incident validation, notification, alerting, consulting, remediation and/or outright repair.
MDR is not a substitute for SIEM, and SIEM by itself cannot do all that MDR can. Security event management increasingly uses global threat feeds and outputs of machine learning in combination with the traditional logs SIEM has always consumed.
Regular vulnerability scans identify assets at risk to help avoid breaches. This is less about “detect and response” than it is “prevent.” As part of a holistic, comprehensive service, MDR should analyze scan results, typically combining them with the latest threat intelligence, to develop a prioritized list of vulnerabilities and understanding whether the exploit can be realized in the system.
The Prescriptive Security Approach
While MDR is clearly an improvement upon MSSPs, there’s another possible improvement to consider—inoculating systems, or adapting them so that breaches become less likely. In an ideal world, there would be no need to respond, because systems would have already anticipated breaches and adapted accordingly to prevent them from occurring in the first place. This could happen via automation, or it could happen via improved risk and security operations visibility that new MDR tools provide.
Some of the essential components comprising a “prescriptive” or “adaptive” security model include integration, automation, big data, and high-end computing.
The greatest improvements in security will come from continued integration of tools, assets, appliances, reporting, and ticketing systems. Traditionally, security has been provided by various teams within an organization—one managing servers; another networks; another applications. The goal is when a backbone interconnects web gateways, endpoints and sandboxes, remediation can occur at the fastest speeds. This happens via integration and is defined by the ability to adapt and prevent rather than “detect and respond.”
Closely aligned with integration is automation. Cybersecurity excellence will always involve human analysis and interpretation, yet automation should process threat discovery, ticketing, and notifications. Automation reduces dwell time. It improves response time. And because security personnel are increasingly hard to find, it is a practical way to concentrate human talent on “non-automatable” threats and processes. Emails, notifications, raising and closing of tickets—these kinds of manual activities should be automated so focus is placed on threat analysis.
Security and big data often seem to work in opposition to one another, but that’s not necessarily true. Consider a company that has access only to its own data. This company is essentially operating with a “small sample size.” Its fund of log sources, experience, and data is limited. Contrast this to MDRs which have access to far more data, logs, and information than any single company. In statistical terms, they have access to a population of data. Combining big data with analytics results in a very powerful predictive capability, and ultimately improves the ability to manage risk sensitivities.
Malware works fast and turns computing power against the hacker’s victim. One way of fighting back is through that same high-end computing power, particularly when combined with big data and machine learning algorithms. Machines are extraordinarily good at storing data and analyzing it for patterns, averages, and deviations. As more data is brought into those algorithms, accuracy improves. This “adaptive security system” not only ensures a rapid response it enables adaptive and prescriptive capabilities that can make changes before an intrusion happens.
While MSSPs provide important business-focused benefits such as cost savings, operational efficiencies and/or access to hard-to-find expertise, companies today require cutting-edge detection and response techniques to cope with advanced persistent threats, ransomware, and other malware that plagues today’s businesses. By embracing the MDR approach, the security industry has an improved, focused means to stay ahead of cyber threats and stop modern day hackers in their tracks.
Jérôme Sandrini is VP/head of big data, Atos North America.
Oct2018, Software Magazine